----------------------------------------------------------------------------- TJ Saunders 2001-08-30 ------------------------------------------------------------------------- Problem ------------------------------------------------------------------------ In attempting to use OpenSSL BIOs for a custom application, I encountered the situation where I wanted a BIO chain that would compress and encrypt data written to a sink, and decompress and decrypt that data when read back. I searched the OpenSSL mailing archives, and read the following two archived messages that touched on this same topic: http://www.mail-archive.com/openssl-users@openssl.org/msg12948.html http://www.mail-archive.com/openssl-users@openssl.org/msg09399.html While these messages contained useful hints, they weren't enough to address my needs. The BIO described in the second message, using zlib's gzread() and gzwrite() functions, would create a BIO that could only be used as the last BIO in a chain, above a file BIO source/sink. Unfortunately, this is not the ideal place for compressing data in conjunction with encryption. As noted in "Applied Cryptography", 2nd ed, Schneier, pp.226: "The important thing to remember is to compress before encryption. If the encryption algorithm is any good, the ciphertext will not be compressible; it will look like random data." The compression BIO described in the archived messages would do compression _after_ encryption. For my needs, I was looking for a compression filter BIO. ---------------------------------------------------------------------------- Solution ---------------------------------------------------------------------------- Write my own compression filter BIO, using lower-level zlib functions than gzread(), gzwrite(). This requires that zlib be installed on your system (included by default in many cases). If not present, zlib can be obtained from: http://www.gzip.org/zlib/ ---------------------------------------------------------------------------- Comments ---------------------------------------------------------------------------- I'm not sure if this BIO is thread-safe (it should be, as long as zlib itself is thread-safe). A configure-time option or detection of zlib.h should probably be included, if this code is accepted into the official OpenSSL distribution. The patch for crypto/bio.h is not yet tested, but should work -- it adds to crypto/bio.h the information in the included bio_zlib.h file. --------------------------------------------------------------------------- Affected Files --------------------------------------------------------------------------- crypto/bio.h -- add BIO_ZLIB information ------------------------------------------------------------------------------